The identity, credential, and access management policy recently released by the Office of Management and Budget (OMB) mostly keeps existing policy in place, but sets a framework for faster policy evolutions and acknowledges the need for protections within the perimeter, said Sean Frazier, advisory CISO at Duo Security.
Frazier said the new policy, which reinforces existing policies like Homeland Security Presidential Directive (HSPD) 12 and the National Institute of Standards and Technology (NIST) SP 800-63, also includes language that keeps an eye toward the future.
“There’s a bit of text right in the middle of the OMB identity guidance that says, ‘While it is important for you to protect the perimeter, you should really be striving to think about how you apply security in a more perimeter-less world.’ … I think that text gives folks a glimpse into what they’re thinking on taking this and making it flexible for the future,” Frazier said.
As a proponent of zero-trust, Frazier noted that while the new memo isn’t fully there, keeping PIV and CAC cards as the primary form of identification, it is a step closer to the architecture.
“Identity is one of the core underpinning tenants of zero-trust,” he said. “Talking about how the perimeter is becoming less important in how we define trust and how we define authentication, that is definitely a zero trust-ism.”
Frazier also highlighted how the memo provides for more frequent updates of ICAM policy, as the last change in OMB policy was in 2011.
“The thing I like about this memo more than anything is that it’s got a nod to the legacy … but it also recognizes the current realities, where you need to be more agile and be able to support a more diverse user population and a more diverse cloud journey, and it even said we’re going to have a normal cadence for updating this document, which is something that hadn’t happened before,” Frazier noted.
He added that the policy connects with other areas and recent developments, like the Trusted Internet Connections (TIC) 3.0 policy and the Continuous Diagnostics and Mitigation (CDM) program.